Apache2 User Authentication

major.tom · 06-23-2007, 01:51 PM

I recently updated my Slackware 11 box to -current. One of the many things updated was Apache 1.3 -> 2.2. However, now user authentication no longer works on my website.

I've copied the users and groups files from the old /etc/apache to the new /etc/httpd directories. Also updated httpd.conf, but still get 403 - Forbidden errors.

The folder has an index.php (and php is working).
auth_basic_module is enabled (only ssl isn't by default).

Here are the relevant areas of my config file:

Code:

<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

<Directory "/chroot/httpd/www">
    Options FollowSymLinks MultiViews
    AllowOverride FileInfo Limit
    Order allow,deny
    Allow from all
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

<IfModule alias_module>
    Alias /blah "/chroot/httpd/var/blah"
    <Directory /chroot/httpd/var/blah>
        AuthType Basic
        AuthName "blah"
        AuthUserFile  /etc/httpd/users
        AuthGroupFile /etc/httpd/groups
        Require group admin
        Satisfy All
        Options FollowSymLinks Indexes
        AllowOverride None
    </Directory>
</IfModule>

Any suggestions would be much appreciated.

Garry

tobyl · 06-23-2007, 04:20 PM

I'm no expert on apache, but could it be related to the fact that the default httpd user is now apache and I think it was nobody before?
So if you haven't you might want to chown and chmod your users and groups files to allow root/apache appropriate access rights.
Also, I take it 'Require group admin' is satisfied?

just a couple of thoughts,

oh, and don't forget the error log.../var/log/httpd

tobyl

major.tom · 06-23-2007, 04:32 PM

I suspect you're right. I had created a custom user & group (httpd:httpd) for apache 1.3 to run in so it would be chrooted. I'm just going through the permissions to update them to the new user.

The authentication was working before (with 1.3) so the users/groups should be ok.

I tried generating a new password file, and it appears to have a slightly different format from the old one.

One interesting thing is that I'm not prompted for a password. It just goes directly to the 403 page. This suggests to me that it's not even realizing that this folder requires a password.

AllowOverride AuthConfig is for use when you have a .htaccess file in the folder in question, right? (I don't use them.) I've tried both ways with the same results.

Thanks for your help!

Garry

major.tom · 06-23-2007, 05:00 PM

Just thought I'd follow up that I think I resolved this issue. When updating the httpd.conf file from to Apache 2.2, I'd included 2 lines that weren't in my current file:

Code:

<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

Once removed, I was prompted for a password and got in.

Thanks,

Garry

tobyl · 06-23-2007, 05:18 PM

Ah, didn't spot that, glad you got it sorted

tobyl